Monday, April 24, 2017

Building a lab to test Centrify capabilities in Amazon AWS

The goal of this article is to set up the building-blocks to test Centrify Server Suite and Privilege Service in an AWS environment. This article is the foundation for several how to guides in development.

In the Create Bucket dialog box, in the Bucket Name box, type a name for your bucket (nmust be unique)

In the Region box, click the region where you want the bucket to reside.

Optional - Enable logging.

Click Create.

Sanity Check # 1At this point, you should have:

At this point you should have several credentials:

An amazon account (your root account) that has all the rights to your AWS account - this account is your email account.

If you created an IAM user, you should have that credential too.

An AWS key-pair that allows you to SSH into Linux instances using the ec2-user or decrypt Windows Administrator passwords.

You have created a virtual private cloud (VPC)

You have configured a security group that allows you to access the AWS EC2 instances/services and communications between them. You'll be using this security group for all newly-created EC2 instances.

You have an S3 bucket that you can use later to host files.

Active Directory in AWS

Active Directory in AWS (or other clouds) can be deployed in different ways. This all boils down to the connectivity between corporate and AWS. If there's a dedicated VPN, provided that DNS and Security rules are well-designed, you an either extend or duplicate your AD infrastructure in AWS.

This article is not concerned with that. If you are doing a lab, most likely you'll be using the scenario where AD is run in AWS (hosted by you in EC2 instances) or hosted by AWS (SimpleAD or AWS Directory Service).

Note that whether you set up your own, or are using a hosted option, you should have the domain name, IP address(es) for the domain controller(s) and an admin credential. The addresses are needed for the next step, and the credential is needed to manage AD with tools like AD Users and Groups.

3. Modify DHCP Option Sets to align with your new DNS

Without properly functioning DNS, there is no Active Directory functionality. DHCP option sets in AWS make your life very easy and you don't need to add Route53 (AWS's DNS Service) complexity.

Add the options for your domain name and DNS Servers (your DC and the Amazon-provided DNS). In the name tag, provide a descriptive name, domain name servers, type the IP address of the DC(s) and an Amazon-provided DNS, and the AD domain name in the domain name.

Press Yes, Create

In the navigation pane, choose Your VPCs.

Select the VPC(s) for your lab, and select Edit DHCP Options Set from the Actions list.

In the DHCP Options Set list, select the set you created from the list, and then choose Save

Sanity Check # 2At this point, you should have:

A running your domain controller managed by you or hosted Active Directory and you should be able to connect to it as an administrative user.

Your domain controller should be running Microsoft DNS hosting the AD records. Write down the IP address and domain name.

DNS resolution in your subnets, when you launch an EC2 instance and you ping your DC by name, it should be resolvable as well as public FQDNs.

Centrify Standard Edition Lab Setup - Member Server

The member server will be running the Active Directory and Centrify tools. In addition, we can use the server as a Centrify Connector and DirectAudit Infrastructure. This post will focus on AD and Centrify tools:

This script creates our cast of AD users and a group inside the AWSDemo OU. Make sure you change the text in red to fit your environment.

Create and Configure a Centrify Zone

Our zone name will be AWS, and it will have a very simple set up. All users will be UNIX-enabled and there will be three roles: A UNIX Sysadmin role, a Windows Sysadmin role and a regular UNIX user role.

Make sure you correct any major errors outlined by adcheck. The key here will be name resolution and connectivity with your domain controllers; if you laid-out your security rules correctly and have DNS set to resolve AD records, you should be fine.

Modify default AWS EC2 SSH Server Settings

By default, OpenSSH in AWS EC2 is not configured to allow password authentication. Although with Centrify the underlying authentication uses Kerberos to talk to DCs, ultimately the user must be allowed to type their password in an SSH session.

$ sudo adjoin -z AWS -c "ou=servers,ou=centrify" -n demo3 -u admin awsrealm.centrifying.net
admin@AWSREALM.CENTRIFYING.NET's password:
Using domain controller: dc1.awsrealm.centrifying.net writable=true
Join to domain:awsrealm.centrifying.net, zone:AWS successful
Centrify DirectControl started.
Initializing cache
.
You have successfully joined the Active Directory domain: awsrealm.centrifying.net
in the Centrify DirectControl zone: CN=AWS,CN=Zones,OU=Centrify,DC=awsrealm,DC=centrifying,DC=net
You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation. Failure to do so may result in
login problems for AD users.

Verify your UNIX Access and Privilege model

Connect to your Linux system using SSH (e.g. PuTTY or ssh), log in as one of your AD users (e.g. lisa)

Join to a Zone > Select the zone you created earlier (AWS) and Press NextNote, you may be asked to add the Domain Administrators to the Login role. You must do this, otherwise the only user that will be able to sign-in will be maggie (in this example).

Configuration completed, Press Finish.

If asked to restart, press Yes when you are ready.

Verify your Windows Access and Privilege model

Sign-in to your Windows system as a member of the Domain Admins group

Right click start and run mstsc -v member -w:800 -h:600 (this launches an RDP session)

Attempt to log in with maggie (she should be able to log in)

Open the Windows systray and right-click the Centrify icon > Authorization Center and click on the Effective roles tab

Note Maggie's current roles in the AWS zone. Logoff.

Repeat step 2, and now try to log in with Bart. The result should be:This is because Bart has not been assigned a role that allows for Windows access.

Press OK and close. At this point, you have tested the access model on Windows.

Sanity Check # 4

At this point you should have

Centrify tools installed in your member server (e.g. DirectManage)

You have a domain-joined Amazon linux instance

In the Centrify zone, you have a linux instance and your Windows member server

You have tested your access and privilege model in both Linux and Windows platforms.

MILESTONE: Now you have a system that you can use for sanity checks and to generate some of the tools required for the Standard Edition AWS labs. This is the state of your lab:

Once your tenant is set up, open its URL from the browser in your EC2 Windows instance (member server)Note that you may have to relax the IE ESC settings on Windows or download an alternative browser like Chrome or Firefox. E.g. https://your-tenant.my.centrify.com/manage

Navigate to Settings > Network and click "Add Centrify Connector"; this will download the Connector bits.

Double-click the Connector zip file, and run the included setup file, this will start the wizard- Welcome Page - press next- EULA Page - check the box and press next- Custom Setup - only install the Centrify Connector- Ready to install - press next. When complete, press Finish. This will launch the configuration Wizard.

In the Configuration Wizard:- Welcome Page - press next- Centrify Connector Configuration - provide your admin account name and password- Connector Configuration - Optional: check the box in the domain (you may not be able to if you're using a managed AD.- Connection test - should be successful if your instance is allowed to go out to the Internet, press Next- Configuring connector - Next and then Finish.